Method for monitoring a network

ABSTRACT

A method for monitoring operation of a controller area network (CAN) comprising a plurality of nodes. The method comprises measuring a voltage associated with a CAN message transmitted on the network, determining a message signature in dependence on the measured voltage, and comparing the message signature with a node signature to determine the authenticity of the CAN message. One or more actions may be taken in dependence on the determined authenticity.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to and the benefit of Great BritainPatent Application No. GB2003599.4, filed Mar. 12, 2020, which isincorporated herein by reference.

TECHNICAL FIELD

The present technology relates to a method for monitoring a network, andin particular a method for monitoring a controller area network (CAN).The subject technology extends to a control system for a network, anetwork and a system comprising the network.

BACKGROUND

A control network typically comprises a number of devices or electroniccontrol units (ECUs), which may collectively be referred to as “nodes”.Each of these nodes may be responsible for controlling operation of partof a complete system either directly or under instruction from a centralcontrol unit. For instance, a control network may be provided in avehicle with individual nodes or control units including an enginemanagement controller, a HVAC control module, body electronics module,infotainment controller etc. Control networks are not limited tovehicles, and have applications in, for example, building managementsystems and manufacturing processes, amongst many other things.

Such control networks are vulnerable to “attacks” where access to thenetwork may be obtained illegitimately and then used to control theoverall system. Such attacks may take the form of a rogue device beingphysically connected to a network. The rogue device may act to mimic agenuine node of the network, or otherwise control nodes of the networkin order to control the overall system. Attacks may also take the formof remote control over one or more genuine nodes of the system andcausing those genuine nodes to operate incorrectly—e.g. by causing thosenodes to send messages on the network with incorrect identifiers, actingas if those inauthentic messages were sent by a different node on thenetwork.

Some prior art solutions are known which are able to detect whetherthere is an attack or not. For example, some prior art systems are knownwhich are operable to detect the introduction of another node onto thenetwork and determine an attack on this basis. However, most knownsolutions are unable to identify which, if any, node has beencompromised and take appropriate action. Hence, known solutions tend torequire complete shutdown of the network once an attack has beenidentified. This can result in the overall system being inoperable whichis inconvenient at best where the system is a vehicle, and potentiallyvery costly where the system forms part of, for example, a manufacturingprocess. It would therefore be advantageous to be able to isolate aparticular node at the centre of an attack and take appropriate localaction as this may allow for the overall system to continue to operate,either unaffected or in a limited capability mode, whilst the affectednode is addressed.

Known solutions which look to identify particular compromised nodes failadequately address these problems. For instance, one known solution(US2019/0245872A1) makes use of voltage discrepancies between signalsoriginating from different nodes on a controller area network, andattempts to use such discrepancies to discriminate between differentnodes. However, this solution introduces further drawbacks in thatwhilst any given message on the network may differ in its voltage leveldepending on its origin, those differences are relatively minor and aremasked by competing signals on the network, for instance duringarbitration and acknowledgement of the message. No complete solution hasbeen provided which overcomes these issues.

It would therefore be advantageous to provide an improved means ofmonitoring operation of a network to determine the authenticity ofmessages being sent over a network.

It is an aim of an embodiment or embodiments of the subject technologyto overcome or at least partially mitigate one or more problems with theprior art.

SUMMARY

According to an aspect of the subject technology there is provided amethod for monitoring operation of a network comprising a plurality ofnodes, the method comprising: measuring a voltage associated with amessage transmitted on the network, the measurements being obtained fora data field of the message, only; determining a message signature independence on the measured voltage, the message signature comprising avoltage characteristic associated with the measured voltage; comparingthe message signature with a node signature, the node signaturecomprising an expected voltage characteristic determined in dependenceon one or more previously measured messages on the network; anddetermining the authenticity of the message in dependence on thecomparison.

According to an aspect of the subject technology there is provided amethod for monitoring operation of a controller area network (CAN)comprising a plurality of nodes, the method comprising: measuring thevoltage associated with a CAN High (CANH) signal and a CAN Low (CANL)signal of a CAN message transmitted on the network from a node, themeasurements being obtained for the data field of the CAN message, only;determining a message signature in dependence on the measured voltages,the message signature comprising a first voltage characteristiccorresponding to the voltage associated with the CANH signal and asecond voltage characteristic corresponding to the voltage associatedwith CANL signal during transmission of the data field of the CANmessage; comparing the message signature with a node signature for thenode, the node signature comprising expected first and second voltagecharacteristics for the CANH and CANL signals, respectively, theexpected first and second voltage characteristics being determined independence on one or more previously measured CAN messages on thenetwork; and determining the authenticity of the CAN message independence on a difference between the first and second voltagecharacteristics of the message signature and the expected first andsecond voltage characteristics of the node signature.

Advantageously, the present technology makes use of the fact that thesetup of the network inherently leads to minor differences in thevoltage levels of the CANH and CANL signals between different nodes. Forinstance, the CANH and CANL signals may be influenced by factorsincluding different component characteristics associated with each node,the position of each node within the network, the length of the CAN bus,etc. Using this, the present technology is able to determine whether amonitored signal from a node is authentic—i.e. is a genuine signalwithin the context of the normal operation of the network, and is notrelated, for example, due to malicious access or attempts to control thenetwork. This is achieved by checking that the voltage characteristicsfor the CANH and CANL signals are as expected for a CAN messageidentifying as originating from a particular node. By measuring thevoltage associated with the CAN message only for the data field, andspecifically by ignoring the arbitration field and acknowledgementfields for voltage measurement purposes (although the arbitration fieldmay be used for ID purposes) where multiple nodes may be accessing (orattempting to access) the network, this ensures that only the CANH andCANL signals for a single node are being measured which might otherwiselead to an inaccurate determination of the voltage characteristic(s) forthe CAN message.

Optional features set out below may apply to any aspect of the subjecttechnology.

The subject technology is described here with reference to a controllerarea network (CAN). However, and as set out in one or more precedingaspects of the subject technology, the subject technology is not limitedin this sense. Rather, the subject technology is applicable to anynetwork type based on differential signalling. The subject technologyadvantageously identifies and isolates parts of the message frame whichcorrespond to only a single node transmitting data—for CAN, thiscorresponds primarily to the data field.

The method may comprise measuring the voltage associated with CANH andCANL signals for at least a portion of the data field of the CANmessage. The method may comprise measuring the voltage associated withthe CANH and CANL signals for substantially the whole data field of theCAN message.

The method may comprise measuring the voltage associated with CANH andCANL signals for a measurement time period. The measurement time periodmay be dependent on the length of the data field of the CAN message. Themeasurement time period may be dependent on the speed of the network.The measurement time period may be dependent on the data length code(DLC) of the CAN message. The method may comprise determining themeasurement time period. Advantageously, measuring the voltageassociated with the CANH and CANL signals for the measurement timeperiod may ensure that no voltage measurements are taken duringbits/fields following the data field, and in particular no voltagemeasurements are taken during the acknowledgement fields of the CANmessage.

The method may comprise identifying a start-of-frame (SOF) field of theCAN message. The method may comprise using the SOF field to trigger themeasurement of the voltage associated with the CANH and CANL signals ofthe CAN message. The method may comprise delaying measurement of theCANH and CANL voltage for a delay period. The delay period may bedependent on the speed of the network. The delay period may be dependenton the network configuration. For example, the delay period may bedependent on the length (e.g. the number of bits) of the CAN messagepreceding the data field. The number of bits preceding the data fieldfor a CAN message may differ between different CAN types, e.g. betweenCAN 2.0A (which may include 11 identifier bits) and CAN 2.0B (which mayinclude 29 identifier bits). The delay period may also be dependent on abuffer. The buffer may account for possible bit stuffing, for example,prior to the data field. The buffer may comprise a multiplication factorapplied to the length of the CAN message preceding the data field. Themethod may comprise determining the delay period. Advantageously, themethod may ensure that no voltage measurements are taken prior to thedata field, an in particular no voltage measurements are taken duringthe arbitration field.

The method may comprise obtaining multiple voltage measurements for boththe CANH and CANL signals. The first voltage characteristic may comprisean average voltage for the CANH signal. The second voltagecharacteristic may comprise an average voltage for the CANL signal.

The method may comprise determining whether each of the voltagemeasurements corresponds to a dominant or recessive bit. This maycomprise determining a voltage difference between the CANH and CANLsignals for voltage measurements obtained at the same time. For example,in some embodiments the method may comprise subtracting the CANL voltagefrom the CANH voltage. The difference may be compared to a threshold.The method may comprise determining that a voltage measurementcorresponds a dominant bit in dependence on the difference being greaterthan the threshold, and determining that a voltage measurementcorresponds to a recessive bit in dependence on the difference beingless than the threshold. The threshold may, for example, be 1V.Advantageously, using the difference between CANL and CANH voltages todiscriminate between dominant and recessive bits may account fornetworks with poor ground characteristics which might lead toinaccuracies were absolute voltage values used.

The method may comprise discarding voltage measurements corresponding torecessive bits. For example, the first voltage characteristic maycomprise a voltage associated with one or more dominant bits of the CANHsignal. The first voltage characteristic may comprise an average voltageassociated with a plurality of dominant bits of the CANH signal.Equally, the second voltage characteristic may comprise a voltageassociated with one or more dominant bits of the CANL signal. The secondvoltage characteristic may comprise an average voltage associated with aplurality of dominant bits of the CANL signal.

In an alternative embodiment, the method may comprise discarding voltagemeasurements corresponding to dominant bits. For example, the firstvoltage characteristic may comprise a voltage associated with one ormore recessive bits of the CANH signal. The first voltage characteristicmay comprise an average voltage associated with a plurality of recessivebits of the CANH signal. Equally, the second voltage characteristic maycomprise a voltage associated with one or more recessive bits of theCANL signal. The second voltage characteristic may comprise an averagevoltage associated with a plurality of recessive bits of the CANLsignal.

In a further embodiment the method may comprise determining a messagesignature which comprises four voltage characteristics. The four voltagecharacteristics may include a first voltage characteristic correspondingto the voltage associated with dominant bits of the CANH signal, asecond voltage characteristic corresponding to the voltage associatedwith recessive bits of the CANH signal, a third voltage characteristiccorresponding to the voltage associated with dominant bits of the CANLsignal, and a fourth voltage characteristic corresponding to the voltageassociated with recessive bits of the CANL signal. One or more of thefirst, second, third and fourth voltage characteristics may comprise anaverage voltage value obtained from a plurality of voltage measurementsobtained for the data field of the CAN message.

The node signature comprises expected first and second voltagecharacteristics for the CANH and CANL signals. The expected first andsecond voltage characteristics are determined in dependence on one ormore previously measured CAN messages on the network. For example, insome embodiments the node signature may be determined based on aplurality of message signatures determined based on voltage measurementsof a plurality of CAN messages on the network, e.g. in the same way asthe message signature of the measured CAN message described herein. Theprevious CAN messages on the network may comprise control messages whichare known to be authentic. The node signature(s) may be assigned to oneor nodes based on knowledge of the network.

The expected first and second voltage characteristics of a nodesignature may be determined in dependence on a plurality of messagesignatures of previously measured CAN messages on the network. Forinstance, the expected first voltage characteristic may comprise anaverage voltage characteristic of first voltage characteristics of aplurality of earlier CAN messages. In further embodiments, the expectedfirst voltage characteristic may be indicative of a statisticaldistribution of first voltage characteristics of a plurality of earlierCAN messages. Similarly, the expected second voltage characteristic maycomprise an average voltage characteristic of second voltagecharacteristics of a plurality of earlier CAN messages, or may beindicative of a statistical distribution of second voltagecharacteristics of a plurality of earlier CAN messages.

The expected first and second voltage characteristics may be determinedduring an installation phase of the network. The expected first andsecond voltage characteristics may be updated, in use, e.g. uponmeasurement and validation of an authentic CAN message.

The node signature(s) may be stored in a memory accessible by thenetwork. The method may comprise any one or more of generating, storingand/or retrieving the node signature(s).

The message signature may comprise a third voltage characteristicindicative of a voltage difference between the CANH and CANL signals ofthe CAN message. The node signature may comprise a correspondingexpected third voltage characteristic. The method may comprisedetermining the authenticity of the CAN message in dependence on adifference between the first, second and third voltage characteristicsof the message signature and the expected first, second and thirdvoltage characteristics of the node signature.

The method comprises determining the authenticity of the CAN message. Inembodiments, this comprises comparing the message signature with thenode signature, and determining the authenticity of the CAN message independence on a difference between the first and second voltagecharacteristics of the message signature and the expected first andsecond voltage characteristics of the node signature. The comparison maycomprise determining whether the first and/or second voltagecharacteristics of the message signature is/are within a thresholddifference from the corresponding expected first and/or second voltagecharacteristics. If the first and/or second voltage characteristics areoutside of the threshold difference, the method may comprise determiningthat the CAN message is inauthentic.

The difference between the first voltage characteristic and the expectedfirst voltage characteristic, and/or the difference between the secondvoltage characteristic and the expected second voltage characteristicmay be determined as a distance (e.g. in parameter space). For example,the method may comprise determining a Euclidean distance between thevoltage characteristics of the message signature and the expectedvoltage characteristics of the node signature. The determined distancemay be compared with a threshold, and the method may comprisedetermining an authenticity of the CAN message in dependence on saidcomparison. For example, the CAN message may be determined to beauthentic in dependence on the determined distance being less than thethreshold, and may be determined to be inauthentic in dependence on thedetermined distance being greater than the threshold.

The method may comprise characterising a CAN message once determined tobe inauthentic. The characterisation may relate to the possible cause ofthe inauthentic CAN message. For example, in some embodiments the methodmay comprise comparing the message signature for a particular CANmessage with a plurality of node signatures, each relating to differentnodes on the network. The method may comprise determining the origin ofthe CAN message in dependence on this comparison. For instance, if theCAN message is determined to be inauthentic—e.g. lie outside of athreshold difference or distance from the expected node signature forthat message—but be identified as “authentic” with respect to anothernode signature—e.g. lie within a threshold difference or distance forthe other node signature—it may be determined that the possible causefor the inauthentic CAN message is erroneous or possibly maliciouscontrol of a node of the network. If the CAN message is determined to beinauthentic for the expected node signature, and lies outside of anythreshold difference or distance for all other node signatures, it maybe determined that the possible cause for the inauthentic CAN message isan inauthentic node which has been later introduced to the network—e.g.an “attacker” connecting a inauthentic ECU to the network in an attemptto gain control of the network.

The method may comprise use of a reference node operable to provide areference CAN message on the network. The reference node may be a“trusted” node, that is a node which is known to be authentic. Themethod may comprise determining a message signature for the referenceCAN message, or indeed a node signature for the reference node independence on a plurality of reference CAN messages. The method maycomprise determining the message signature(s) and/or node signature(s)for other CAN messages originating from other nodes of the networkrelative to the message/node signature associated with the referencenode. For example, the first and/or second voltage characteristics of agiven message signature may comprise a relative voltage value, therelative voltage value being determined relative to the correspondingfirst and second voltage characteristics associated with the referencenode—e.g. as part of a determined node signature for the reference node.The relative voltage characteristics may be determined as a vector,containing data indicative of the distance and direction of the messagesignature with respect to the message/node signature associated with thereference node. Advantageously, the method may be used to monitor driftor other changes in the voltage characteristics of the network overtime.

The method may comprise controlling operation of the network independence on the determined authenticity of the CAN message. Forexample, where a CAN message is deemed to be authentic the method maycomprise taking no action and allowing the network to continue tooperate. Where a CAN message is deemed to be inauthentic, the method maycomprise preventing access for the associated node to the network. Themethod may comprise stopping operation of the network altogether. Themethod may comprise alerting a user/operator of the network to theinauthentic signal.

One or more of the nodes may comprise an electronic control unit (ECU).The network may comprise a controller area network flexible data-rate(CAN FD) network or a CAN XL network.

According to an aspect of the subject technology there is provided acontrol system for monitoring operation of a network, the control systemcomprising one or more controllers, and being configured to: receive aninput signal indicative of a measured voltage associated with a messagetransmitted on the network, the measurements being obtained for a datafield of the message, only; determine a message signature in dependenceon the measured voltage, the message signature comprising a voltagecharacteristic associated with the measured voltage; compare the messagesignature with a node signature, the node signature comprising anexpected voltage characteristic determined in dependence on one or morepreviously measured messages on the network; and determine theauthenticity of the message in dependence on the comparison.

According to an aspect of the subject technology there is provided acontrol system for monitoring operation of a controller area network,the control system comprising one or more controllers, and beingconfigured to: receive an input signal indicative of a measured voltageassociated with a CANH signal and CANL signal of a CAN messagetransmitted on the network from a node, the measurements being obtainedfor the data field of the CAN message, only; determine a messagesignature in dependence on the measured voltages, the message signaturecomprising a first voltage characteristic corresponding to the voltageassociated with the CANH signal and a second voltage characteristiccorresponding to the voltage associated with CANL signal duringtransmission of the data field of the CAN message; compare the messagesignature with a node signature for the node, the node signaturecomprising expected first and second voltage characteristics for theCANH and CANL signals, respectively, the expected first and secondvoltage characteristics being determined in dependence on one or morepreviously measured CAN messages on the network; and determine theauthenticity of the CAN message in dependence on a difference betweenthe first and second voltage characteristics of the message signatureand the expected first and second voltage characteristics of the nodesignature.

In embodiments, the one or more controllers the one or more controllerscollectively comprise: at least one electronic processor having anelectrical input for receiving the input signal. The one or morecontrollers may collectively comprise at least one electronic memorydevice electrically coupled to the at least one electronic processor andhaving instructions stored therein. The at least one electronicprocessor may be configured to access the at least one memory device andexecute the instructions thereon so as to compare the message and nodesignatures and determine the authenticity of the CAN message therefrom.

The voltage measurements may relate to the voltage associated with CANHand CANL signals for at least a portion of the data field of the CANmessage. The voltage measurements may relate to the voltage associatedwith the CANH and CANL signals for substantially the whole data field ofthe CAN message.

The control system may be operable, e.g. through output of one or morecontrol signals, to control the timing of the voltage measurements.

The voltage measurements may relate to the voltage associated with CANHand CANL signals for a measurement time period. The measurement timeperiod may be dependent on the length of the data field of the CANmessage. The measurement time period may be dependent on the speed ofthe network. The measurement time period may be dependent on the datalength code (DLC) of the CAN message. The control system may be operableto determine the measurement time period.

The control system may be operable to identify a start-of-frame (SOF)field of the CAN message. The control system may be configured to usethe SOF field to trigger the measurement of the voltage associated withthe CANH and CANL signals of the CAN message. For instance, the controlsystem may be operable to receive the CAN message, identify the SOFfield from the received CAN message and trigger the voltage measurementsin dependence thereon, e.g. by outputting one or more control signals toone or more meters associated with CANH and CANL wires of the network.

The control system may be configured to determine a delay period betweenthe SOF field of the CAN message and the triggering of the voltagemeasurements. The delay period may be dependent on the speed of thenetwork. The delay period may be dependent on the network configuration.For example, the delay period may be dependent on the length (e.g. thenumber of bits) of the CAN message preceding the data field. The numberof bits preceding the data field for a CAN message may differ betweendifferent CAN types, e.g. between CAN 2.0A (which may include 11identifier bits) and CAN 2.0B (which may include 29 identifier bits).The delay period may also be dependent on a buffer. The buffer mayaccount for possible bit stuffing, for example, prior to the data field.The buffer may comprise a multiplication factor applied to the length ofthe CAN message preceding the data field.

The control system may be operable to determine the first and/or secondvoltage characteristics from multiple voltage measurements for both theCANH and CANL signals. The first voltage characteristic may comprise anaverage voltage for the CANH signal. The second voltage characteristicmay comprise an average voltage for the CANL signal.

The control system may be operable to determine whether each of thevoltage measurements corresponds to a dominant or recessive bit. Thismay comprise determining a voltage difference between the CANH and CANLsignals for voltage measurements obtained at the same time. For example,the control system may be operable to subtract the CANL voltage from theCANH voltage. The difference may be compared to a threshold. A voltagemeasurement may be determined to correspond to a dominant bit independence on the difference being greater than the threshold, and bedetermined to correspond to a recessive bit in dependence on thedifference being less than the threshold. The threshold may, forexample, be 1V.

Voltage measurements corresponding to recessive bits may be discarded bythe control system. For example, the control system may be operable todetermine the first voltage characteristic as a voltage associated withone or more dominant bits of the CANH signal. The control system may beoperable to determine the first voltage characteristic as an averagevoltage associated with a plurality of dominant bits of the CANH signal.Equally, the control system may be operable to determine the secondvoltage characteristic as a voltage associated with one or more dominantbits of the CANL signal. The control system may be operable to determinethe second voltage characteristic as an average voltage associated witha plurality of dominant bits of the CANL signal.

In an alternative embodiment, the voltage measurements corresponding todominant bits may be discarded by the control system. For example, thecontrol system may be operable to determine the first voltagecharacteristic as a voltage associated with one or more recessive bitsof the CANH signal. The control system may be operable to determine thefirst voltage characteristic as an average voltage associated with aplurality of recessive bits of the CANH signal. Equally, the controlsystem may be operable to determine the second voltage characteristic asa voltage associated with one or more recessive bits of the CANL signal.The control system may be operable to determine the second voltagecharacteristic as an average voltage associated with a plurality ofrecessive bits of the CANL signal.

In a further embodiment the control system may be operable to determinea message signature which comprises four voltage characteristics. Thefour voltage characteristics may include a first voltage characteristiccorresponding to the voltage associated with dominant bits of the CANHsignal, a second voltage characteristic corresponding to the voltageassociated with recessive bits of the CANH signal, a third voltagecharacteristic corresponding to the voltage associated with dominantbits of the CANL signal, and a fourth voltage characteristiccorresponding to the voltage associated with recessive bits of the CANLsignal. One or more of the first, second, third and fourth voltagecharacteristics may comprise an average voltage value obtained from aplurality of voltage measurements obtained for the data field of the CANmessage.

The control system may be operable to determine the node signature. Thecontrol system may be operable may be operable to determine nodesignatures for each of the plurality of nodes in the network.

The node signature comprises expected first and second voltagecharacteristics for the CANH and CANL signals. The expected first andsecond voltage characteristics are determined in dependence on one ormore previously measured CAN messages on the network. For example, insome embodiments the control system may be operable to determine thenode signature based on a plurality of message signatures determinedbased on voltage measurements of a plurality of CAN messages on thenetwork, e.g. in the same way as the message signature of the measuredCAN message described herein. The previous CAN messages on the networkmay comprise control messages which are known to be authentic. Thecontrol system may assign node signature(s) to one or nodes based onknowledge of the network.

The control system may be operable to determine the expected first andsecond voltage characteristics of a node signature in dependence on aplurality of message signatures of previously measured CAN messages onthe network. For instance, the control system may be operable todetermine the expected first voltage characteristic as an averagevoltage characteristic of first voltage characteristics of a pluralityof earlier CAN messages. In further embodiments, the control system maybe operable to determine the expected first voltage characteristic as acharacteristic indicative of a statistical distribution of first voltagecharacteristics of a plurality of earlier CAN messages. Similarly, thecontrol system may be operable to determine the expected second voltagecharacteristic as an average voltage characteristic of second voltagecharacteristics of a plurality of earlier CAN messages, or may as acharacteristic indicative of a statistical distribution of secondvoltage characteristics of a plurality of earlier CAN messages.

The control system may be operable to determine the expected first andsecond voltage characteristics during an installation phase of thenetwork. The expected first and second voltage characteristics may beupdated, in use, e.g. upon measurement and validation of an authenticCAN message.

The node signature(s) may be stored in a memory accessible by thenetwork, or in particular by the control system.

The message signature may comprise a third voltage characteristicindicative of a voltage difference between the CANH and CANL signals ofthe CAN message. The node signature may comprise a correspondingexpected third voltage characteristic. In such embodiments, the controlsystem may be operable to determine the authenticity of the CAN messagein dependence on a difference between the first, second and thirdvoltage characteristics of the message signature and the expected first,second and third voltage characteristics of the node signature.

The control system is operable to determine the authenticity of the CANmessage. In embodiments, this comprises the control system comparing themessage signature with the node signature, and determining theauthenticity of the CAN message in dependence on a difference betweenthe first and second voltage characteristics of the message signatureand the expected first and second voltage characteristics of the nodesignature. In embodiments, the control system is operable to determinewhether the first and/or second voltage characteristics of the messagesignature is/are within a threshold difference from the correspondingexpected first and/or second voltage characteristics. If the firstand/or second voltage characteristics are outside of the thresholddifference, the control system may be operable to determine that the CANmessage is inauthentic.

The difference between the first voltage characteristic and the expectedfirst voltage characteristic, and/or the difference between the secondvoltage characteristic and the expected second voltage characteristicmay be determined as a distance (e.g. in parameter space). For example,the method may comprise determining a Euclidean distance between thevoltage characteristics of the message signature and the expectedvoltage characteristics of the node signature. The determined distancemay be compared with a threshold, and the method may comprisedetermining an authenticity of the CAN message in dependence on saidcomparison. For example, the CAN message may be determined to beauthentic in dependence on the determined distance being less than thethreshold, and may be determined to be inauthentic in dependence on thedetermined distance being greater than the threshold.

The control system may be operable to characterise a CAN message oncedetermined to be inauthentic. The characterisation may relate to thepossible cause of the inauthentic CAN message. For example, in someembodiments the control system may be operable to compare the messagesignature for a particular CAN message with a plurality of nodesignatures, each relating to different nodes on the network. The controlsystem may then determine the origin of the CAN message in dependence onthis comparison. For instance, if the CAN message is determined to beinauthentic—e.g. lie outside of a threshold difference or distance fromthe expected node signature for that message—but be identified as“authentic” with respect to another node signature—e.g. lie within athreshold difference or distance for the other node signature—it may bedetermined that the possible cause for the inauthentic CAN message iserroneous or possibly malicious control of a node of the network. If theCAN message is determined to be inauthentic for the expected nodesignature, and lies outside of any threshold difference or distance forall other node signatures, it may be determined that the possible causefor the inauthentic CAN message is an inauthentic node which has beenlater introduced to the network—e.g. an “attacker” connecting aninauthentic ECU to the network in an attempt to gain control of thenetwork.

The control system may use a reference node operable to provide areference CAN message on the network. The reference node may be a“trusted” node, that is a node which is known to be authentic. Thecontrol system may be operable to determine a message signature for thereference CAN message, or indeed a node signature for the reference nodein dependence on a plurality of reference CAN messages. The controlsystem may be operable to determine message signature(s) and/or nodesignature(s) for other CAN messages originating from other nodes of thenetwork relative to the message/node signature associated with thereference node. For example, the first and/or second voltagecharacteristics of a given message signature may comprise a relativevoltage value, the relative voltage value being determined relative tothe corresponding first and second voltage characteristics associatedwith the reference node—e.g. as part of a determined node signature forthe reference node. The relative voltage characteristics may bedetermined as a vector, containing data indicative of the distance anddirection of the message signature with respect to the message/nodesignature associated with the reference node. Advantageously, thesubject technology may be operable to monitor drift or other changes inthe voltage characteristics of the network over time.

The control system may be operable to generate and output a controlsignal for controlling operation of the network in dependence on thedetermined authenticity of the CAN message. For example, where a CANmessage is deemed to be authentic the control system may simply take noaction (e.g. not output a control signal), thereby allowing the networkto continue to operate. Where a CAN message is deemed to be inauthentic,the control system may be operable to generate and output a controlsignal for preventing access for the associated node to the network. Forexample, the control signal may be sent on the network to the associatednode to prevent further operation of the node. The control system mayoutput a control signal for stopping operation of the networkaltogether. The control system may be operable to output a controlsignal for alerting a user/operator of the network to the inauthenticsignal. For example, the control signal may be output to a visualdisplay device, or may comprise outputting the signal to a datastore/server for flagging the inauthentic CAN message in a diagnosticstool for the network, for example.

According to another aspect of the subject technology there is providedcomputer software comprising computer readable instructions which, whenexecuted, perform a method in accordance with any aspect describedherein.

According to a further aspect of the subject technology there isprovided a computer readable medium comprising the computer software ofthe preceding aspect of the subject technology.

Optionally, the computer readable medium may comprise a non-transitorycomputer readable medium.

According to another aspect of the subject technology there is provideda network comprising a plurality of nodes and a control system accordingto any preceding aspect of the subject technology.

The network may comprise a controller area network. The network maycomprise a CAN FD network or a CAN XL network.

According to an aspect of the subject technology there is provided asystem comprising a network and/or control system of any aspectdescribed herein.

The system may comprise or be comprised within a vehicle. The vehiclemay be a motor vehicle, an aircraft, a watercraft, for example. Thesystem may comprise a building management system. The system maycomprise a management system for a manufacturing facility.

According to an aspect of the subject technology there is provided avehicle comprising the control system, network or system according toany aspect described herein.

BRIEF DESCRIPTION OF THE FIGURES

In order that the subject technology may be more clearly understood oneor more embodiments thereof will now be described, by way of exampleonly, with reference to the accompanying drawings, of which:

FIG. 1 is a flowchart illustrating an embodiment of a method of thesubject technology;

FIG. 2 is a further flowchart further illustrating the embodiment shownin FIG. 1;

FIG. 3 is an overview of a CAN message;

FIGS. 4A-4B are graphical illustrations of the voltage levels for bothCANH and CANL signals for CAN messages on a network;

FIG. 5 is a graphical illustration of message signatures determined inaccordance with the subject technology for a plurality of CAN messageson a network;

FIG. 6 is a schematic overview of an embodiment of a network formingpart of the subject technology; and

FIG. 7 is a schematic overview of an embodiment of a control systemforming part of the network shown in FIG. 6.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present technology relates to a method 10 and control system 102 formonitoring operation of a network 100. As shown in the Figures, thesubject technology extends to a network 100 comprising the controlsystem 102.

FIGS. 1 and 2 illustrate an embodiment of a method 10 for monitoringoperation of a network, e.g. controller area network (CAN) 100.

In general, the method 10 comprises, at step 12, measuring a voltageassociated with a message transmitted on the network 100. A messagesignature is subsequently determined in dependence on the measuredvoltage (step 14). The message signature includes a voltagecharacteristic associated with the measured voltage. At step 16, themessage signature is compared with a stored node signature. The nodesignature includes an expected voltage characteristic which has beendetermined in dependence on one or more previously measured messages onthe network 100. Based on this comparison, an authenticity of themessage is determined (step 18). Finally, at step 20, an appropriateaction is taken depending on whether the message is determined to beauthentic or not.

Here, the network 100 comprises a controller area network (CAN) 100, anexample of which is shown in FIG. 6. CAN 100 comprises a series of nodes120 a, 120 b, 120 c, 120 d each operably coupled to a pair of CAN wires,CANH and CANL, with each node 120 a, 120 b, 120 c, 120 d operable, viarespective transceivers 124a, 124 b, 124 c, 124 d to output voltagelevels on the two CAN wires to form a CAN message in the form of aseries of dominant (logic 0) or recessive (logic 1) bits. Typically, fora dominant bit, any given node is operable to output approximately 3.5Von the CANH wire and 1.5V on the CANL wire—a differential voltage ofapproximately 2.0V. For a recessive bit, any given node is operable tooutput approximately 2.5V on each of the CANH and CANL wires, giving adifferential voltage of approximately 0V. By measuring the differentialvoltage of CANH and CANL, a receiver node can read a CAN message in theform of a series of logic 0 and logic 1 bits.

A schematic overview of a CAN message is shown in FIG. 3. The CANmessage begins with a “Start of Frame” (SOF) bit, and then includes aseries of fields including arbitration, control, data, cyclic redundancycheck and acknowledgment fields before ending with an “End of Frame”field which comprises a series of 7 recessive bits. Each field mayinclude various sub-frames, including an ID (part of the acknowledgementframe) and a data length code (part of the control frame). The ID isspecific to the content of the message and defines the priority of CANmessages on the network. For a standard format, the CAN message has an11-bit ID, but other formats are known, including an extended formatwith a 29-bit ID. The DLC contains information relating to the length ofthe data field.

As is described in detail herein, the present technology advantageouslymakes use of small differences in the CANH and CANL voltage outputs fordifferent nodes, specifically during the data field of a CAN message.Such differences are present due to the nature of the nodes themselves,the position of the nodes within the network, the length of the networkitself. Accordingly, these discrepancies may be used to identify theorigin of any given CAN message on the network. These differences areshown in FIGS. 4A and 4B which show CANH and CANL voltages over time forpart of a CAN message, specifically focusing on the data field. As canbe seen, in FIG. 4A the CANH voltage for a dominant bit during the datafield of a CAN message from a first node is measured to be approximately3500 mV, with the CANL voltage at approximately 1500 mV. For a secondnode (illustrated by FIG. 4B), the CANH voltage for a dominant bitduring the data field is measured to be just less than 3500 mV, perhapsaround 3400 mV, with the corresponding CANL value at around 1400 mV.Accordingly, the present technology realises that using this difference,the origin (i.e. which node) of any given CAN message can be determined,or it can at least be determined whether a CAN message with a given IDis authentic based on previously observed voltage values for CANmessages with that particular ID.

Access to the network 100 is resolved during arbitration in a mannerknown in the art, and will not be described in detail herein. However,it is important to note that during arbitration a number of nodes may beattempting to access the network, with priority given to the node havingthe “lowest” ID. Similarly, during acknowledgment, nodes other than thetransmitting node each send a dominant (logic 0) bit on the network toacknowledge receipt of the CAN message. Again, this may result innumerous nodes accessing the network concurrently during acknowledgment.Accordingly, the voltage value on the CANH and CANL wires duringarbitration and acknowledgement can vary significantly, masking anydifferences in the true voltage output from different nodes. This isshown in FIGS. 4A and 4B, where relatively high voltage levels areobserved on the CANH wire, and relatively low voltage levels areobserved on the CANL wire immediately prior to and/or after the datafield. As is discussed herein, the present technology advantageouslyignores the voltage characteristics of the CAN message duringarbitration and acknowledgement.

Method 10 is described in detail hereinbelow, referring back to FIGS. 1and 2.

At step 12, the method 10 comprises measuring a voltage associated witha CAN message transmitted on the network 100. Specifically, step 12comprises measuring a voltage associated with a CANH signal and CANLsignal of the CAN message transmitted on the network from a node. As isdiscussed herein, the voltage measurements are advantageously obtainedfor the data field of the CAN message, only.

This is achieved by identifying the SOF of the CAN message and using theSOF as a trigger to begin measurement of the voltages of the CANH andCANL wires. Advantageously, the method 10 includes introducing a delayafter the SOF before beginning voltage measurements so as to ignore thearbitration field of the CAN message. The delay period is dependent onthe speed of the network and the number of bits of the CAN messagepreceding the data field which may differ between CAN types A buffer isalso applied to the length of the CAN message preceding the data fieldto account for any bit stuffing. The delay period may be determined inreal time or can be predefined—the method is not limited in this sense.

In addition, the method 10 comprises measuring the voltage associatedwith CANH and CANL signals for a measurement time period, following thedelay, which is dependent on the length of the data field of the CANmessage, determined from the DLC of the CAN message and again the speedof the network. The measurement time period may be determined in realtime or can be predefined—the method is not limited in this sense.Advantageously, the method 10 measures the voltages associated with CANHand CANL only during transmission of the data field, thereby mitigatingany issues caused by multiple nodes attempting to access the network.

At step 14, a message signature is determined in dependence on themeasured voltages. The message signature includes a first voltagecharacteristic corresponding to the voltage associated with the CANHsignal and a second voltage characteristic corresponding to the voltageassociated with CANL signal during transmission of the data field of theCAN message.

Specifically, multiple voltage measurements for both the CANH and CANLsignals are measured during transmission of the data field of the CANmessage. These measurements are then processed to obtain an averagevoltage for the CANH signal—the first voltage characteristic, and anaverage voltage for the CANL signal—the second voltage characteristic.

These averages are obtained only for the dominant bits of the data fieldof the CAN message. To differentiate between dominant and recessivebits, the method 10 includes determining a voltage difference betweenthe CANH and CANL signals for voltage measurements obtained at the sametime. This includes subtracting the CANL voltage from the CANH voltageand comparing the difference to a threshold. The voltage measurementsare determined to correspond to a dominant bit where the differencebetween the CANH and CANL voltages is greater than the threshold.Typically, the threshold may be set at 1V. This may account for poorgrounding of the network, or nodes within the network which mightotherwise lead to inaccuracies if absolute voltage values were used todiscriminate between dominant and recessive bits.

At step 16, the determined message signature is compared with a nodesignature for the node (as determined by the ID of the CAN message). Thenode signature includes expected first and second voltagecharacteristics for the CANH and CANL signals, which have beendetermined based on one or more previously measured CAN messages on thenetwork which are known to be authentic, and are typically determined inthe same way as the message signature of the measured CAN message asdescribed herein. For instance, the expected first and second voltagecharacteristics can comprise average voltage characteristics of firstand second voltage characteristics of a plurality of earlier CANmessages. In a variant, the expected first and second voltagecharacteristics can be indicative of a statistical distribution of firstand second voltage characteristics of a plurality of earlier CANmessages. The node signatures are assigned to one or more nodes based onknowledge of the network—i.e. “Node A” has a first node signatureassigned with expected first and second voltage characteristics for NodeA, “Node B” has a first node signature assigned with expected first andsecond voltage characteristics for Node B, and so on for each of thenodes on the network. Typically, this assignment takes place during aninstallation phase of the network, but in an advantageous extension ofthe method, the expected first and second voltage characteristics foreach node signature may be updated in use, e.g. upon measurement andvalidation of an authentic CAN message. The node signatures are storedin a memory accessible by the network.

At step 18, the method 10 comprises determining the authenticity of theCAN message. Here, this comprises comparing the message signature withthe node signature, and determining the authenticity of the CAN messagein dependence on a difference between the first and second voltagecharacteristics of the message signature and the expected first andsecond voltage characteristics of the node signature. Specifically, thedifference between the first voltage characteristic and the expectedfirst voltage characteristic, and the difference between the secondvoltage characteristic and the expected second voltage characteristic isdetermined as a distance in parameter space.

This is shown figuratively in FIG. 5 which shows a plot of CANH againstCANL values for a plurality of CAN messages. Where points on this plotare grouped—e.g. groups 30 a, 30 b, 30 c, 30 d, 30 e—they are determinedto correspond to authentic CAN messages originating from a particularnode. These groupings are then used to define the node signatures forthe particular nodes, and a following message signature may then becompared with that node signature to determine its authenticity. In theillustrated embodiment, the method 10 comprises determining a Euclideandistance between the position of the voltage characteristics of themessage signature and the expected voltage characteristics of the nodesignature corresponding to the believed origin (e.g. as determined bythe ID of the CAN message). The determined distance is compared with athreshold and the authenticity of the CAN message is determined based onsaid comparison. Specifically, the CAN message is determined to beauthentic in dependence on the determined distance being less than thethreshold, and is determined to be inauthentic in dependence on thedetermined distance being greater than the threshold (FIG. 2).

In an example, the ID for a particular measured CAN message may suggestthat the expected voltage characteristics of the message signaturecorrespond to the node signature associated with a group 30 a. However,upon determination of the voltage characteristics for the CAN message,the message signature is determined to be positioned at point 40 in FIG.5. This may be determined to sit outside of the threshold distance fromthe node signature associated with group 30 a and hence the CAN messageis deemed to be inauthentic.

Finally, once the authenticity of the CAN message has been determined atstep 18 the method moves on to step 20 where an appropriate action istaken depending on the determined authenticity of the CAN message. Thesubject technology is not limited in this sense, but example actions mayinclude taking no action and allowing the network to continue to operatewhere a CAN message is deemed to be authentic (step 20 b).Alternatively, where a CAN message is deemed to be inauthentic, themethod can include preventing access for the associated node to thenetwork, disabling the network altogether and/or alerting a user oroperator of the network to the inauthentic signal (step 20 a).

Embodiments of a network 100 and associated control system 102 are shownschematically in FIGS. 6 and 7.

The network 100 includes a plurality of nodes 120 a, 120 b, 120 c, 120 dand a controller in the form of a monitoring node 104 operably andcommunicably coupled to a pair of signal wires—CANH and CANL. Asdiscussed herein, each of the nodes 120 a, 120 b, 120 c, 120 d isconfigured to output voltage levels on the two CAN wires CANH and CANLto form a CAN message in the manner described herein. The nodes 120 a,120 b, 120 c, 120 d include respective transceivers 124 a, 124 b, 124 c,124 d for transmitting (and receiving) the signals to/from the CANwires. In addition, each node 120 a, 120 b, 120 c, 120 d includes arespective processor 122 a, 122 b, 122 c, 122 d for controllingoperation of the node 120 a, 120 b, 120 c, 120 d, and a CAN module 126a, 126 b, 126 c, 126 d for specifically controlling the interfacebetween the node 120 a, 120 b, 120 c, 120 d and the CAN wires CANH,CANL. As will be appreciated, the processors 122 a, 122 b, 122 c, 122 dmay each be individually operable to control respective functions of alarger system—e.g. the nodes 120 a, 120 b, 120 c, 120 d may compriseECUs on a vehicle, each operable to control different aspects of thevehicle reporting to or taking instruction from the CAN bus.

In the illustrated embodiment, the control system 102 comprises themonitoring node 104 which is configured similarly to nodes 120 a, 120 b,120 c, 120 d on the network. The monitoring node 104 includes anelectronic processor 106. The processor 106 is operably coupled to a CANtransceiver 108 for receiving input signals from the CAN bus indicativeof the voltage level on the CANH and CANL wires of the bus. Themonitoring node 104 includes an electronic memory device 112electrically coupled to the processor 106 and includes instructionsstored therein. The instructions may relate to operating instructionsfor the monitoring node 104. The memory device 112 can include one ormore node signatures stored therein and is accessible by the processor106 of the monitoring node 104, in use. The processor 106 is configuredto access the memory device 112 and execute the instructions in order toperform the method 10 described herein and discussed further below.

Specifically, the monitoring node 104 is configured to receive inputsignals from the CANH and CANL wires indicative of a voltage associatedwith a CAN message transmitted on the network 100. The processor 106 isconfigured to use these voltage measurements to determine a messagesignature in the manner described herein, i.e. as per step 14 of method10. Specifically, the processor 106 is able to extract the voltagemeasurements from the input signal and generate first and second voltagecharacteristics for the CAN message to form the message signature. Theprocessor may then compare the message signature with a node signaturestored in the memory device 112 and based on this comparison, determinean authenticity of the CAN message. The control system 102 is configuredto take an appropriate action based on whether the message is determinedto be authentic or not. This may take any one of a number of forms, andthe subject technology is not limited in this sense. However, in anexample embodiment, the monitoring node 104 may be operable, viatransceiver 108, to send a further CAN message on the network 100 tocontrol operation of a node 120 a, 120 b, 120 c, 120 d on the network,e.g. a node determined to have transmitted an inauthentic message, toprevent access to the network 100 for that particular node. In a furtherexample, the monitoring node 104 may be operable to shut down thenetwork 100 altogether. In yet a further example, the monitoring node104 may be operable to control output of an alert to a user of thenetwork 100 informing said user of the determination of the inauthenticmessage on the network 100. The control system 102 can include anoutput, e.g. an electronic output for outputting a control signalindependent of the network 100, e.g. a separate wired or wirelessconnection with a further control unit.

The one or more embodiments are described above by way of example only.Many variations are possible without departing from the scope ofprotection afforded by the appended claims.

1. A method for monitoring operation of a controller area network (CAN)comprising a plurality of nodes, the method comprising: measuring avoltage associated with a CAN High (CANH) signal and a CAN Low (CANL)signal of a CAN message transmitted on the network from a node, themeasurements being obtained for the data field of the CAN message, only;determining a message signature in dependence on the measured voltages,the message signature comprising a first voltage characteristiccorresponding to the voltage associated with the CANH signal and asecond voltage characteristic corresponding to the voltage associatedwith CANL signal during transmission of the data field of the CANmessage; comparing the message signature with a node signature for thenode, the node signature comprising expected first and second voltagecharacteristics for the CANH and CANL signals, respectively, theexpected first and second voltage characteristics being determined independence on one or more previously measured CAN messages on thenetwork; and determining the authenticity of the CAN message independence on a difference between the first and second voltagecharacteristics of the message signature and the expected first andsecond voltage characteristics of the node signature.
 2. A method asclaimed in claim 1, comprising measuring the voltage associated withCANH and CANL signals for a measurement time period.
 3. A method asclaimed in claim 2, wherein the measurement time period is dependent onone or more of: the length of the data field of the CAN message; thespeed of the network; and the data length code (DLC) of the CAN message.4. A method as claimed in claim 1, comprising identifying astart-of-frame (SOF) field of the CAN message, and using the SOF fieldto trigger the measurement of the voltage associated with the CANH andCANL signals of the CAN message.
 5. A method as claimed in claim 1,comprising delaying measurement of the CANH and CANL voltage for a delayperiod.
 6. A method as claimed in claim 5, wherein the delay period isdependent on one or more of: the speed of the network; the length of theCAN message preceding the data field; and a buffer.
 7. A method asclaimed in claim 1, comprising obtaining multiple voltage measurementsfor both the CANH and CANL signals, wherein the first voltagecharacteristic comprises an average voltage for the CANH signal and thesecond voltage characteristic comprises an average voltage for the CANLsignal.
 8. A method as claimed in claim 1, comprising determiningwhether each of the voltage measurements corresponds to a dominant orrecessive bit.
 9. A method as claimed in claim 8, comprising determininga voltage difference between the CANH and CANL signals for voltagemeasurements obtained at the same time, and comparing the voltagedifference to a threshold.
 10. A method as claimed in claim 9,comprising determining that a voltage measurement corresponds a dominantbit in dependence on the difference being greater than the threshold,and determining that a voltage measurement corresponds to a recessivebit in dependence on the difference being less than the threshold.
 11. Amethod as claimed in claim 8, comprising discarding voltage measurementscorresponding to recessive bits.
 12. A method as claimed in claim 11,wherein the first voltage characteristic comprises an average voltageassociated with a plurality of dominant bits of the CANH signal, and thesecond voltage characteristic comprises an average voltage associatedwith a plurality of dominant bits of the CANL signal.
 13. A method asclaimed in claim 1, wherein the expected first and second voltagecharacteristics of the node signature are determined in dependence onone or more previously measured control CAN messages on the network. 14.A method as claimed in claim 1, wherein the message signature comprisesa third voltage characteristic indicative of a voltage differencebetween the CANH and CANL signals of the CAN message, and the methodcomprises determining the authenticity of the CAN message in dependenceon a difference between the first, second and third voltagecharacteristics of the message signature and the expected first, secondand third voltage characteristics of the node signature.
 15. A method asclaimed in claim 1, comprising determining whether the first and/orsecond voltage characteristics of the message signature is/are within athreshold difference from the corresponding expected first and/or secondvoltage characteristics, and determining the authenticity of the CANmessage in dependence thereon.
 16. A method as claimed in claim 15,wherein the difference between the first voltage characteristic and theexpected first voltage characteristic, and/or the difference between thesecond voltage characteristic and the expected second voltagecharacteristic is determined as a distance.
 17. A method as claimed inclaim 16, wherein the distance comprises a Euclidean distance betweenthe voltage characteristics of the message signature and the expectedvoltage characteristics of the node signature.
 18. A method as claimedin claim 16, comprising comparing the determined distance with athreshold, and determining an authenticity of the CAN message independence on said comparison, wherein the CAN message is determined tobe authentic in dependence on the determined distance being less thanthe threshold, and is determined to be inauthentic in dependence on thedetermined distance being greater than the threshold.
 19. A method asclaimed in claim 1, comprising using a reference node operable toprovide a reference CAN message on the network.
 20. A method as claimedin claim 19, wherein the first and/or second voltage characteristics ofthe message signature comprise a relative voltage value, the relativevoltage value being determined relative to corresponding first andsecond voltage characteristics associated with the reference node.
 21. Amethod as claimed in claim 1, comprising controlling operation of thenetwork in dependence on the determined authenticity of the CAN message.22. A method as claimed in claim 21, comprising preventing access forthe node to the network, stopping operation of the network altogether,and/or alerting a user or operator of the network to the inauthenticsignal in dependence on the determination of an inauthentic CAN message.23. A control system for monitoring operation of a controller areanetwork, the control system comprising one or more controllers, andbeing configured to: receive an input signal indicative of a measuredvoltage associated with a CANH signal and CANL signal of a CAN messagetransmitted on the network from a node, the measurements being obtainedfor the data field of the CAN message, only; determine a messagesignature in dependence on the measured voltages, the message signaturecomprising a first voltage characteristic corresponding to the voltageassociated with the CANH signal and a second voltage characteristiccorresponding to the voltage associated with CANL signal duringtransmission of the data field of the CAN message; compare the messagesignature with a node signature for the node, the node signaturecomprising expected first and second voltage characteristics for theCANH and CANL signals, respectively, the expected first and secondvoltage characteristics being determined in dependence on one or morepreviously measured CAN messages on the network; and determine theauthenticity of the CAN message in dependence on a difference betweenthe first and second voltage characteristics of the message signatureand the expected first and second voltage characteristics of the nodesignature.
 24. A control system according to claim 23, furthercomprising a network comprising a plurality of nodes.
 25. A controlsystem according to claim 23, wherein the control system is on avehicle.